Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

NiFi Authorization Problem

Labels:
avatar
author-rank mehulsemail
Contributor

Created ‎10-27-2016 12:19 PM

I have a fresh install of NiFi and am trying to enable TLS certificate based security for initial admin login and am getting the following error after successful authentication (see nifi-user.log snippet below)

"Unable to perform the desired action due to insufficient permissions. Contact the system administrator."

Here if snippets of relevant configuration defined in the nifi-properties file:

# web properties #
nifi.web.war.directory=./lib
nifi.web.http.host=
nifi.web.http.port=
nifi.web.https.host=0.0.0.0
nifi.web.https.port=8443
nifi.web.jetty.working.directory=./work/jetty
nifi.web.jetty.threads=200

# security properties #

nifi.security.keystore=/apps/nifi/certs/server.pfx
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=Test
nifi.security.keyPasswd=
nifi.security.truststore=/apps/nifi/certs/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=Test
nifi.security.needClientAuth=true
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate=

Here is the configuration of the authorizers.xml file:

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">CN=Browser Client,OU=GUI,O="Test Inc "</property>
        <property name="Legacy Authorized Users File"></property>
    </authorizer>

Here is the output from the nifi-user.log file:

2016-10-26 21:19:38,469 INFO [main] o.a.nifi.authorization.FileAuthorizer Authorizations file loaded at Wed Oct 26 21:19:38 UTC 2016
2016-10-26 21:20:35,238 INFO [NiFi Web Server-18] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2016-10-26 21:20:35,252 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=Browser Client, OU=GUI, O="Test Inc ") GET https://localhost:8443/nifi-api/flow/current-user (source ip: 127.0.0.1)
2016-10-26 21:20:35,253 INFO [NiFi Web Server-18] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=Browser Client, OU=GUI, O="Test Inc "
2016-10-26 21:20:35,266 INFO [NiFi Web Server-18] o.a.n.w.a.c.AccessDeniedExceptionMapper CN=Browser Client, OU=GUI, O="Test Inc " does not have permission to access the requested resource. Returning Forbidden response.
14,460 Views
1 ACCEPTED SOLUTION

avatar
author-rank bbende author-rank
Master Guru

Created ‎10-27-2016 01:31 PM

The problem is a whitespace issue...

If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.

If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.

You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the exact value from the logs, and then deleting users.xml and authorizations.xml, and restart.

View solution in original post

9,913 Views
8 REPLIES 8

avatar
author-rank andrewg author-rank
Guru

Created ‎10-27-2016 12:26 PM

Hi, the setup looks ok at first glance. If you made some changes over several NiFi restarts, can you try deleting users.xml and authorizations.xml files and start up NiFi again? These should get regenerated and Initial Admin user added.

9,913 Views
0 Kudos

avatar
author-rank mehulsemail
Contributor

Created ‎10-27-2016 12:36 PM

Hello Andrew, thanks for your suggestion, followed your suggestion but no luck, still the same problem.

9,913 Views
0 Kudos

avatar
author-rank TimothySpann author-rank
Master Guru

Created ‎10-27-2016 01:09 PM

what version of NIFI are you running? Can you update to a newer one?

I recommend you use http://docs.hortonworks.com/HDPDocuments/HDF2/HDF-2.0.1/index.html

What user are you running as?

9,913 Views
0 Kudos

avatar
author-rank mehulsemail
Contributor

Created ‎10-27-2016 01:07 PM

users.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<tenants>
    <groups/>
    <users>
        <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade" identity="CN=Browser Client,OU=GUI,O="Test Inc ""/>
    </users>
</tenants>

authorizations.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizations>
    <policies>
        <policy identifier="73374e81-e8b7-3b0c-969a-613a4075be39" resource="/flow" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="8aec400c-8546-3cba-a2a5-c0ae267f7ba4" resource="/data/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="a32dd30f-8225-37fb-805f-c57feb9b845e" resource="/data/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="132721c5-fdd0-330c-a3ab-3f2d6b17fa88" resource="/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="657eb4e4-91ca-3f88-97a3-6454dd3fc9d6" resource="/process-groups/021ba659-0158-1000-c2a3-c5666d9e00cb" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="7a28fc07-3e1c-3cd0-bf07-aaac0bf33c0a" resource="/tenants" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="71444cf0-a0e8-3efe-8669-6a49e9524d61" resource="/tenants" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="cc8f957c-8248-35bb-ac24-a399b544ea53" resource="/policies" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="fe68321a-85cb-3fd9-86e0-32a6684d9101" resource="/policies" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="7781460d-3a59-3bf3-88d4-78ac4e839e7e" resource="/controller" action="R">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
        <policy identifier="4b0b79aa-db0f-3672-b38b-27b4b7c07f59" resource="/controller" action="W">
            <user identifier="a0560a86-94ac-3985-8a3d-faaaeb14cade"/>
        </policy>
    </policies>
</authorizations>
9,913 Views
0 Kudos

avatar
author-rank TimothySpann author-rank
Master Guru

Created ‎10-27-2016 01:15 PM

Does the user running NIFI have permissions to those files?

From the source code:

// If Kerberos Service Principal and keytab location not configured, throws exception
if (!properties.isKerberosSpnegoSupportEnabled() || kerberosService == null) {
throw new IllegalStateException("Kerberos ticket login not supported by this NiFi.");

https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nif...

See:

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#kerberos_login_identity_provid...

Initial Admin Identity (New NiFi Instance)

If you are setting up a secured NiFi instance for the first time, you must manually designate an “Initial Admin Identity” in the authorizers.xml file. This initial admin user is granted access to the UI and given the ability to create additional users, groups, and policies. The value of this property could be a DN (when using certificates or LDAP) or a Kerberos principal. If you are the NiFi administrator, add yourself as the “Initial Admin Identity”.

https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup

Do you have Kerberos?

9,913 Views
0 Kudos

avatar
author-rank mehulsemail
Contributor

Created ‎10-27-2016 01:27 PM

Tim, thanks for your feedback, I'm using the latest version of NiFi and no, I am not using Kerberos

9,913 Views

avatar
author-rank bbende author-rank
Master Guru

Created ‎10-27-2016 01:31 PM

The problem is a whitespace issue...

If you look at your log you can see "CN=BrowserClient, OU=GUI, O="Test Inc "" with a space before the OU.

If you look at the Initial Admin and users.xml there is no space "CN=Browser Client,OU=GUI,O="Test Inc " so its not lining up.

You can fix this by stopping NiFi, updating authorizers.xml so the Initial Admin has the exact value from the logs, and then deleting users.xml and authorizations.xml, and restart.

9,914 Views

avatar
author-rank mehulsemail
Contributor

Created ‎10-27-2016 01:48 PM

Yay, it works Bryan, nice catch. Thanks for your help. Thanks Andrew and Tim as well. Smacking myself in the back of the head as well 🙂

9,913 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements